-+## dontaudit Read and write the TUN/TAP virtual network device.
+ ########################################
+ ##
+-## Send and receive TCP network traffic on the generic interfaces.
++## Send and receive TCP network traffic on generic interfaces.
+ ##
++##
++##
++## Allow the specified domain to send and receive TCP network
++## traffic on generic network interfaces.
++##
++##
++## Related interface:
++##
++##
++## - corenet_all_recvfrom_unlabeled()
++## - corenet_tcp_sendrecv_generic_node()
++## - corenet_tcp_sendrecv_all_ports()
++## - corenet_tcp_connect_all_ports()
++##
++##
++## Example client being able to connect to all ports over
++## generic nodes, without labeled networking:
++##
++##
++## allow myclient_t self:tcp_socket create_stream_socket_perms;
++## corenet_tcp_sendrecv_generic_if(myclient_t)
++## corenet_tcp_sendrecv_generic_node(myclient_t)
++## corenet_tcp_sendrecv_all_ports(myclient_t)
++## corenet_tcp_connect_all_ports(myclient_t)
++## corenet_all_recvfrom_unlabeled(myclient_t)
++##
++##
+ ##
+ ##
+-## The type of the process performing this action.
++## Domain allowed access.
+ ##
+ ##
+ ##
+@@ -233,13 +260,39 @@
+
+ ########################################
+ ##
+-## Send and Receive UDP network traffic on generic interfaces.
++## Send and receive UDP network traffic on generic interfaces.
+ ##
++##
++##
++## Allow the specified domain to send and receive UDP network
++## traffic on generic network interfaces.
++##
++##
++## Related interface:
++##
++##
++## - corenet_all_recvfrom_unlabeled()
++## - corenet_udp_sendrecv_generic_node()
++## - corenet_udp_sendrecv_all_ports()
++##
++##
++## Example client being able to send to all ports over
++## generic nodes, without labeled networking:
++##
++##
++## allow myclient_t self:udp_socket create_socket_perms;
++## corenet_udp_sendrecv_generic_if(myclient_t)
++## corenet_udp_sendrecv_generic_node(myclient_t)
++## corenet_udp_sendrecv_all_ports(myclient_t)
++## corenet_all_recvfrom_unlabeled(myclient_t)
++##
++##
+ ##
+ ##
+-## The type of the process performing this action.
++## Domain allowed access.
+ ##
+ ##
++##
+ #
+ interface(`corenet_udp_sendrecv_generic_if',`
+ corenet_udp_send_generic_if($1)
+@@ -491,11 +544,39 @@
+ ##
+ ## Send and receive TCP network traffic on generic nodes.
+ ##
++##
++##
++## Allow the specified domain to send and receive TCP network
++## traffic to/from generic network nodes (hostnames/networks).
++##
++##
++## Related interface:
++##
++##
++## - corenet_all_recvfrom_unlabeled()
++## - corenet_tcp_sendrecv_generic_if()
++## - corenet_tcp_sendrecv_all_ports()
++## - corenet_tcp_connect_all_ports()
++##
++##
++## Example client being able to connect to all ports over
++## generic nodes, without labeled networking:
++##
++##
++## allow myclient_t self:tcp_socket create_stream_socket_perms;
++## corenet_tcp_sendrecv_generic_if(myclient_t)
++## corenet_tcp_sendrecv_generic_node(myclient_t)
++## corenet_tcp_sendrecv_all_ports(myclient_t)
++## corenet_tcp_connect_all_ports(myclient_t)
++## corenet_all_recvfrom_unlabeled(myclient_t)
++##
++##
+ ##
+ ##
+-## The type of the process performing this action.
++## Domain allowed access.
+ ##
+ ##
++##
+ #
+ interface(`corenet_tcp_sendrecv_generic_node',`
+ gen_require(`
+@@ -545,11 +626,37 @@
+ ##
+ ## Send and receive UDP network traffic on generic nodes.
+ ##
++##
++##
++## Allow the specified domain to send and receive UDP network
++## traffic to/from generic network nodes (hostnames/networks).
++##
++##
++## Related interface:
++##
++##
++## - corenet_all_recvfrom_unlabeled()
++## - corenet_udp_sendrecv_generic_if()
++## - corenet_udp_sendrecv_all_ports()
++##
++##
++## Example client being able to send to all ports over
++## generic nodes, without labeled networking:
++##
++##
++## allow myclient_t self:udp_socket create_socket_perms;
++## corenet_udp_sendrecv_generic_if(myclient_t)
++## corenet_udp_sendrecv_generic_node(myclient_t)
++## corenet_udp_sendrecv_all_ports(myclient_t)
++## corenet_all_recvfrom_unlabeled(myclient_t)
++##
++##
+ ##
+ ##
+-## The type of the process performing this action.
++## Domain allowed access.
+ ##
+ ##
++##
+ #
+ interface(`corenet_udp_sendrecv_generic_node',`
+ corenet_udp_send_generic_node($1)
+@@ -611,11 +718,26 @@
+ ##
+ ## Bind TCP sockets to generic nodes.
+ ##
++##
++##
++## Bind TCP sockets to generic nodes. This is
++## necessary for binding a socket so it
++## can be used for servers to listen
++## for incoming connections.
++##
++##
++## Related interface:
++##
++##
++## - corenet_udp_bind_generic_node()
++##
++##
+ ##
+ ##
+-## The type of the process performing this action.
++## Domain allowed access.
+ ##
+ ##
++##
+ #
+ interface(`corenet_tcp_bind_generic_node',`
+ gen_require(`
+@@ -629,11 +751,26 @@
+ ##
+ ## Bind UDP sockets to generic nodes.
+ ##
++##
++##
++## Bind UDP sockets to generic nodes. This is
++## necessary for binding a socket so it
++## can be used for servers to listen
++## for incoming connections.
++##
++##
++## Related interface:
++##
++##
++## - corenet_tcp_bind_generic_node()
++##
++##
+ ##
+ ##
+-## The type of the process performing this action.
++## Domain allowed access.
+ ##
+ ##
++##
+ #
+ interface(`corenet_udp_bind_generic_node',`
+ gen_require(`
+@@ -1112,11 +1249,37 @@
+ ##
+ ## Send and receive TCP network traffic on all ports.
+ ##
++##
++##
++## Send and receive TCP network traffic on all ports.
++## Related interfaces:
++##
++##
++## - corenet_all_recvfrom_unlabeled()
++## - corenet_tcp_sendrecv_generic_if()
++## - corenet_tcp_sendrecv_generic_node()
++## - corenet_tcp_connect_all_ports()
++## - corenet_tcp_bind_all_ports()
++##
++##
++## Example client being able to connect to all ports over
++## generic nodes, without labeled networking:
++##
++##
++## allow myclient_t self:tcp_socket create_stream_socket_perms;
++## corenet_tcp_sendrecv_generic_if(myclient_t)
++## corenet_tcp_sendrecv_generic_node(myclient_t)
++## corenet_tcp_sendrecv_all_ports(myclient_t)
++## corenet_tcp_connect_all_ports(myclient_t)
++## corenet_all_recvfrom_unlabeled(myclient_t)
++##
++##
+ ##
+ ##
+-## The type of the process performing this action.
++## Domain allowed access.
+ ##
+ ##
++##
+ #
+ interface(`corenet_tcp_sendrecv_all_ports',`
+ gen_require(`
+@@ -1166,11 +1329,35 @@
+ ##
+ ## Send and receive UDP network traffic on all ports.
+ ##
++##
++##
++## Send and receive UDP network traffic on all ports.
++## Related interfaces:
++##
++##
++## - corenet_all_recvfrom_unlabeled()
++## - corenet_udp_sendrecv_generic_if()
++## - corenet_udp_sendrecv_generic_node()
++## - corenet_udp_bind_all_ports()
++##
++##
++## Example client being able to send to all ports over
++## generic nodes, without labeled networking:
++##
++##
++## allow myclient_t self:udp_socket create_socket_perms;
++## corenet_udp_sendrecv_generic_if(myclient_t)
++## corenet_udp_sendrecv_generic_node(myclient_t)
++## corenet_udp_sendrecv_all_ports(myclient_t)
++## corenet_all_recvfrom_unlabeled(myclient_t)
++##
++##
+ ##
+ ##
+-## The type of the process performing this action.
++## Domain allowed access.
+ ##
+ ##
++##
+ #
+ interface(`corenet_udp_sendrecv_all_ports',`
+ corenet_udp_send_all_ports($1)
+@@ -1255,11 +1442,39 @@
+ ##
+ ## Connect TCP sockets to all ports.
+ ##
++##
++##
++## Connect TCP sockets to all ports
++##
++##
++## Related interfaces:
++##
++##
++## - corenet_all_recvfrom_unlabeled()
++## - corenet_tcp_sendrecv_generic_if()
++## - corenet_tcp_sendrecv_generic_node()
++## - corenet_tcp_sendrecv_all_ports()
++## - corenet_tcp_bind_all_ports()
++##
++##
++## Example client being able to connect to all ports over
++## generic nodes, without labeled networking:
++##
++##
++## allow myclient_t self:tcp_socket create_stream_socket_perms;
++## corenet_tcp_sendrecv_generic_if(myclient_t)
++## corenet_tcp_sendrecv_generic_node(myclient_t)
++## corenet_tcp_sendrecv_all_ports(myclient_t)
++## corenet_tcp_connect_all_ports(myclient_t)
++## corenet_all_recvfrom_unlabeled(myclient_t)
++##
++##
+ ##
+ ##
+-## The type of the process performing this action.
++## Domain allowed access.
+ ##
+ ##
++##
+ #
+ interface(`corenet_tcp_connect_all_ports',`
+ gen_require(`
+@@ -1705,6 +1920,25 @@
+
+ ########################################
+ ##
++## Do not audit attempts to read or write the TUN/TAP
++## virtual network device.
+##
+##
+##
-+## The domain allowed access.
++## Domain to not audit.
+##
+##
+#
@@ -2561,29 +3005,101 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dontaudit $1 tun_tap_device_t:chr_file { read write };
+')
+
- ########################################
- ##
++########################################
++##
## Getattr the point-to-point device.
+ ##
+ ##
+@@ -2207,11 +2441,23 @@
+ ##
+ ## Receive packets from an unlabeled connection.
+ ##
++##
++##
++## Allow the specified domain to receive packets from an
++## unlabeled connection. On machines that do not utilize
++## labeled networking, this will be required on all
++## networking domains. On machines tha do utilize
++## labeled networking, this will be required for any
++## networking domain that is allowed to receive
++## network traffic that does not have a label.
++##
++##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+ interface(`corenet_all_recvfrom_unlabeled',`
+ kernel_tcp_recvfrom_unlabeled($1)
+@@ -2229,11 +2475,22 @@
+ ##
+ ## Receive packets from a NetLabel connection.
+ ##
++##
++##
++## Allow the specified domain to receive NetLabel
++## network traffic, which utilizes the Commercial IP
++## Security Option (CIPSO) to set the MLS level
++## of the network packets. This is required for
++## all networking domains that receive NetLabel
++## network traffic.
++##
++##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+ interface(`corenet_all_recvfrom_netlabel',`
+ gen_require(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-18 18:24:22.668540002 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-03-23 13:47:00.760390185 +0100
-@@ -74,6 +74,7 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-03-30 08:54:31.503611267 +0200
+@@ -1,5 +1,5 @@
+
+-policy_module(corenetwork, 1.13.0)
++policy_module(corenetwork, 1.13.9)
+
+ ########################################
+ #
+@@ -25,6 +25,7 @@
+ #
+ type tun_tap_device_t;
+ dev_node(tun_tap_device_t)
++mls_trusted_object(tun_tap_device_t)
+
+ ########################################
+ #
+@@ -74,55 +75,55 @@
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
-+network_port(amqp, tcp,5171,s0, udp,5171,s0, tcp,5172,s0, udp,5172,s0)
++network_port(amqp, tcp,5671,s0, udp,5671,s0, tcp,5672,s0, udp,5672,s0)
network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
-@@ -85,6 +86,7 @@
+ network_port(audit, tcp,60,s0)
+ network_port(auth, tcp,113,s0)
+ network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
++network_port(boinc, tcp,31416,s0)
+ type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
+ network_port(certmaster, tcp,51235,s0)
++network_port(chronyd, udp,323,s0)
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
+network_port(cobbler, tcp,25151,s0)
++network_port(commplex, tcp,5000,s0, udp,5000,s0, tcp,5001,s0, udp,5001,s0)
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
- network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
-@@ -92,11 +94,12 @@
+-network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
+-portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0)
++network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(dbskkd, tcp,1178,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dccm, tcp,5679,s0, udp,5679,s0)
@@ -2594,21 +3110,55 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
-+network_port(epmap, udp,135,s0, tcp,135,s0)
++network_port(epmap, tcp,135,s0, udp,135,s0)
network_port(festival, tcp,1314,s0)
network_port(fingerd, tcp,79,s0)
network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
-@@ -148,7 +151,9 @@
+-network_port(ftp, tcp,21,s0)
++network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
+ network_port(ftp_data, tcp,20,s0)
+-network_port(ftps, tcp,990,s0, udp,990,s0)
+ network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
+ network_port(giftd, tcp,1213,s0)
+ network_port(git, tcp,9418,s0, udp,9418,s0)
+ network_port(gopher, tcp,70,s0, udp,70,s0)
+ network_port(gpsd, tcp,2947,s0)
+ network_port(hddtemp, tcp,7634,s0)
+-network_port(howl, tcp,5353,s0, udp,5353,s0)
++network_port(howl, tcp,5335,s0, udp,5353,s0)
+ network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+ network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
+-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
+-portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0)
+-network_port(chronyd, udp,323,s0)
++network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
+ network_port(i18n_input, tcp,9010,s0)
+ network_port(imaze, tcp,5323,s0, udp,5323,s0)
+ network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+ network_port(innd, tcp,119,s0)
+ network_port(ipmi, udp,623,s0, udp,664,s0)
+-network_port(ipp, tcp,631,s0, udp,631,s0)
+-portcon tcp 8610-8614 gen_context(system_u:object_r:ipp_port_t, s0)
+-portcon udp 8610-8614 gen_context(system_u:object_r:ipp_port_t, s0)
++network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
+ network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
+ network_port(ircd, tcp,6667,s0)
+ network_port(isakmp, udp,500,s0)
+@@ -145,10 +146,13 @@
+ network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+ network_port(monopd, tcp,1234,s0)
+ network_port(msnp, tcp,1863,s0, udp,1863,s0)
++network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)
network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
-+network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)
++network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
+network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntp, udp,123,s0)
-@@ -195,7 +200,7 @@
+@@ -195,7 +199,7 @@
network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@@ -2617,6 +3167,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
network_port(spamd, tcp,783,s0)
+@@ -211,16 +215,13 @@
+ network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
+ network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
+ network_port(transproxy, tcp,8081,s0)
++network_port(ups, tcp,3493,s0)
+ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
+ network_port(uucpd, tcp,540,s0)
+-network_port(ups, tcp,3493,s0)
+ network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
+ network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
+-network_port(virt_migration, tcp,49152,s0)
+-portcon tcp 49153-49216 gen_context(system_u:object_r:virt_migration_port_t,s0)
+-network_port(vnc, tcp,5900,s0)
+-# Reserve 100 ports for vnc/virt machines
+-portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0)
++network_port(virt_migration, tcp,49152-49216,s0)
++network_port(vnc, tcp,5900-5999,s0)
+ network_port(wccp, udp,2048,s0)
+ network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
+ network_port(xdmcp, udp,177,s0, tcp,177,s0)
+@@ -249,9 +250,8 @@
+ # nodes in net_contexts or net_contexts.mls.
+ #
+ type node_t, node_type;
+-sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
+-
+ typealias node_t alias { compat_ipv4_node_t lo_node_t link_local_node_t inaddr_any_node_t unspec_node_t };
++sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
+
+ # network_node examples:
+ #network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-18 18:24:22.670530409 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-03-15 10:19:23.322613725 +0100
@@ -4798,7 +5379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2010-01-18 18:24:22.722530039 +0100
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-03-15 18:09:26.443629787 +0100
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-03-30 09:03:46.339860958 +0200
@@ -39,6 +39,8 @@
type unconfined_exec_t;
init_system_domain(unconfined_t, unconfined_exec_t)
@@ -4828,7 +5409,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -344,7 +350,11 @@
+@@ -268,6 +274,7 @@
+
+ unconfined_domain_noaudit(unconfined_java_t)
+ unconfined_dbus_chat(unconfined_java_t)
++ userdom_unpriv_usertype(unconfined, unconfined_java_t)
+
+ optional_policy(`
+ rpm_domtrans(unconfined_java_t)
+@@ -344,7 +351,11 @@
')
optional_policy(`
@@ -4841,7 +5430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -405,7 +415,7 @@
+@@ -405,7 +416,7 @@
type unconfined_execmem_t;
type nsplugin_exec_t;
')
@@ -7939,7 +8528,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/gpm\.pid -- gen_context(system_u:object_r:gpm_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2010-01-18 18:24:22.795530524 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/hal.te 2010-03-15 10:42:13.048864743 +0100
++++ serefpolicy-3.6.32/policy/modules/services/hal.te 2010-03-30 08:54:31.516876450 +0200
+@@ -1,5 +1,5 @@
+
+-policy_module(hal, 1.12.0)
++policy_module(hal, 1.12.1)
+
+ ########################################
+ #
+@@ -64,9 +64,9 @@
+ #
+
+ # execute openvt which needs setuid
+-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice sys_resource dac_override dac_read_search mknod sys_rawio sys_tty_config };
++allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+ dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
+-allow hald_t self:process { getattr signal_perms };
++allow hald_t self:process { getsched getattr signal_perms };
+ allow hald_t self:fifo_file rw_fifo_file_perms;
+ allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow hald_t self:unix_dgram_socket create_socket_perms;
@@ -121,6 +121,7 @@
corenet_udp_sendrecv_all_ports(hald_t)
@@ -7948,7 +8556,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_urand(hald_t)
dev_read_input(hald_t)
dev_read_mouse(hald_t)
-@@ -272,6 +273,10 @@
+@@ -165,7 +166,6 @@
+ fs_unmount_dos_fs(hald_t)
+ fs_manage_dos_files(hald_t)
+ fs_manage_fusefs_dirs(hald_t)
+-fs_manage_fusefs_files(hald_t)
+ fs_rw_removable_blk_files(hald_t)
+
+ files_getattr_all_mountpoints(hald_t)
+@@ -186,7 +186,7 @@
+
+ # hal_probe_serial causes these
+ term_setattr_unallocated_ttys(hald_t)
+-term_dontaudit_use_unallocated_ttys(hald_t)
++term_use_unallocated_ttys(hald_t)
+
+ auth_use_nsswitch(hald_t)
+
+@@ -215,9 +215,9 @@
+ seutil_read_default_contexts(hald_t)
+ seutil_read_file_contexts(hald_t)
+
++sysnet_read_config(hald_t)
+ sysnet_domtrans_dhcpc(hald_t)
+ sysnet_domtrans_ifconfig(hald_t)
+-sysnet_read_config(hald_t)
+ sysnet_read_dhcp_config(hald_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(hald_t)
+@@ -272,6 +272,10 @@
')
optional_policy(`
@@ -7959,7 +8595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
gpm_dontaudit_getattr_gpmctl(hald_t)
')
-@@ -322,6 +327,10 @@
+@@ -322,11 +326,19 @@
')
optional_policy(`
@@ -7970,17 +8606,58 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
udev_domtrans(hald_t)
udev_read_db(hald_t)
')
-@@ -331,6 +340,10 @@
- ')
optional_policy(`
+ usbmuxd_stream_connect(hald_t)
-+')
++')
+
+optional_policy(`
- vbetool_domtrans(hald_t)
+ updfstab_domtrans(hald_t)
')
+@@ -483,9 +495,10 @@
+ #
+ # Local hald dccm policy
+ #
+-allow hald_dccm_t self:fifo_file rw_fifo_file_perms;
++
+ allow hald_dccm_t self:capability { chown net_bind_service };
+ allow hald_dccm_t self:process getsched;
++allow hald_dccm_t self:fifo_file rw_fifo_file_perms;
+ allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
+ allow hald_dccm_t self:udp_socket create_socket_perms;
+ allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms;
+@@ -508,11 +521,9 @@
+
+ write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t)
+
+-dev_read_urand(hald_dccm_t)
+-
+ kernel_search_network_sysctl(hald_dccm_t)
+
+-hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
++dev_read_urand(hald_dccm_t)
+
+ corenet_all_recvfrom_unlabeled(hald_dccm_t)
+ corenet_all_recvfrom_netlabel(hald_dccm_t)
+@@ -525,7 +536,7 @@
+ corenet_tcp_bind_generic_node(hald_dccm_t)
+ corenet_udp_bind_generic_node(hald_dccm_t)
+ corenet_udp_bind_dhcpc_port(hald_dccm_t)
+-corenet_tcp_bind_ftps_port(hald_dccm_t)
++corenet_tcp_bind_ftp_port(hald_dccm_t)
+ corenet_tcp_bind_dccm_port(hald_dccm_t)
+
+ logging_send_syslog_msg(hald_dccm_t)
+@@ -534,6 +545,8 @@
+
+ miscfiles_read_localization(hald_dccm_t)
+
++hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
++
+ optional_policy(`
+ dbus_system_bus_client(hald_dccm_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.6.32/policy/modules/services/inn.te
--- nsaserefpolicy/policy/modules/services/inn.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/inn.te 2010-03-01 15:13:35.203742322 +0100
@@ -9043,12 +9720,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-01-18 18:24:22.825542512 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2010-03-23 13:04:18.554640618 +0100
++++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2010-03-30 16:16:09.963611408 +0200
@@ -45,12 +45,14 @@
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
-+allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom };
++allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
@@ -9175,8 +9852,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read nx home directory content
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-01-18 18:24:22.843530414 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-01-26 14:19:37.820463477 +0100
-@@ -85,6 +85,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-03-30 16:18:00.117861110 +0200
+@@ -36,6 +36,9 @@
+ type openvpn_var_run_t;
+ files_pid_file(openvpn_var_run_t)
+
++type openvpn_tmp_t;
++files_tmp_file(openvpn_tmp_t)
++
+ ########################################
+ #
+ # openvpn local policy
+@@ -65,6 +68,9 @@
+ manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
+ files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
+
++manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
++files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
++
+ kernel_read_kernel_sysctls(openvpn_t)
+ kernel_read_net_sysctls(openvpn_t)
+ kernel_read_network_state(openvpn_t)
+@@ -85,6 +91,7 @@
corenet_udp_bind_generic_node(openvpn_t)
corenet_tcp_bind_openvpn_port(openvpn_t)
corenet_udp_bind_openvpn_port(openvpn_t)
@@ -9184,7 +9881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_connect_openvpn_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
corenet_tcp_connect_http_cache_port(openvpn_t)
-@@ -102,6 +103,9 @@
+@@ -102,6 +109,9 @@
auth_use_pam(openvpn_t)
@@ -11614,6 +12311,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(winbind_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.32/policy/modules/services/sasl.te
+--- nsaserefpolicy/policy/modules/services/sasl.te 2010-01-18 18:24:22.887530493 +0100
++++ serefpolicy-3.6.32/policy/modules/services/sasl.te 2010-03-30 08:55:29.818860362 +0200
+@@ -50,6 +50,8 @@
+ kernel_read_kernel_sysctls(saslauthd_t)
+ kernel_read_system_state(saslauthd_t)
+
++corecmd_exec_bin(saslauthd_t)
++
+ corenet_all_recvfrom_unlabeled(saslauthd_t)
+ corenet_all_recvfrom_netlabel(saslauthd_t)
+ corenet_tcp_sendrecv_generic_if(saslauthd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-18 18:24:22.889530888 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2010-02-09 15:04:54.083866070 +0100
@@ -15341,7 +16050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_read_all_domains_state(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-03-18 10:10:48.712514201 +0100
++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-03-30 16:31:01.466611238 +0200
@@ -133,7 +133,7 @@
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -15394,7 +16103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -432,9 +433,22 @@
+@@ -432,9 +433,23 @@
/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -15412,7 +16121,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libgpac\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/transcode/filter_yuvdenoise\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/lexmark/lxk08/lib(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -15960,7 +16670,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Full management of the semanage
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-01-18 18:24:22.967540599 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2010-01-18 18:27:02.789530951 +0100
++++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2010-03-30 08:54:31.529611109 +0200
+@@ -1,5 +1,5 @@
+
+-policy_module(selinuxutil, 1.13.0)
++policy_module(selinuxutil, 1.13.1)
+
+ gen_require(`
+ bool secure_mode;
@@ -190,6 +190,7 @@
init_use_script_fds(load_policy_t)
@@ -15969,6 +16686,50 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(load_policy_t)
+@@ -258,25 +259,19 @@
+ selinux_compute_relabel_context(newrole_t)
+ selinux_compute_user_contexts(newrole_t)
+
+-term_use_all_user_ttys(newrole_t)
+-term_use_all_user_ptys(newrole_t)
+-term_relabel_all_user_ttys(newrole_t)
+-term_relabel_all_user_ptys(newrole_t)
++term_use_all_ttys(newrole_t)
++term_use_all_ptys(newrole_t)
++term_relabel_all_ttys(newrole_t)
++term_relabel_all_ptys(newrole_t)
+ term_getattr_unallocated_ttys(newrole_t)
+ term_dontaudit_use_unallocated_ttys(newrole_t)
+
+-auth_use_nsswitch(newrole_t)
+-auth_domtrans_chk_passwd(newrole_t)
+-auth_domtrans_upd_passwd(newrole_t)
+-auth_rw_faillog(newrole_t)
++auth_use_pam(newrole_t)
+
+ # Write to utmp.
+ init_rw_utmp(newrole_t)
+ init_use_fds(newrole_t)
+
+-logging_send_audit_msgs(newrole_t)
+-logging_send_syslog_msg(newrole_t)
+-
+ miscfiles_read_localization(newrole_t)
+
+ seutil_libselinux_linked(newrole_t)
+@@ -514,6 +509,12 @@
+ allow setfiles_mac_t self:capability2 mac_admin;
+ kernel_relabelto_unlabeled(setfiles_mac_t)
+
++optional_policy(`
++ livecd_dontaudit_leaks(setfiles_mac_t)
++ livecd_rw_tmp_files(setfiles_mac_t)
++ dev_dontaudit_write_all_chr_files(setfiles_mac_t)
++')
++
+ ifdef(`hide_broken_symptoms',`
+ optional_policy(`
+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.fc serefpolicy-3.6.32/policy/modules/system/sosreport.fc
--- nsaserefpolicy/policy/modules/system/sosreport.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/sosreport.fc 2010-03-15 22:24:08.238477345 +0100
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4ec9b0e..4fe776f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 107%{?dist}
+Release: 108%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,10 @@ exit 0
%endif
%changelog
+* Tue Mar 30 2010 Miroslav Grepl 3.6.32-108
+- Add label for libgpac library
+- Fixes for openvpn
+
* Fri Mar 26 2010 Miroslav Grepl 3.6.32-107
- Allow pppd to read and write to modem devices